Nonce stealing prevention (detecting "<script") bypass
Reported by
mic...@bentkowski.info,
Jul 10 2017
|
||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36 Steps to reproduce the problem: As stated in https://github.com/w3c/webappsec-csp/issues/98 ; Chromium contains a protection against nonce stealing prevention, with detecting "<script" or "<style" in attribute name or value. The prevention could be bypassed by duplicate attribute's name, for example: <!-- the following will not execute --> <meta http-equiv=Content-Security-Policy content="script-src 'nonce-abcd'"> <script src=data:,alert(1) nonce="abcd" > </script> <!-- the following will execute --> <meta http-equiv=Content-Security-Policy content="script-src 'nonce-abcd'"> <script src=data:,alert(1) x="" x="<script" nonce="abcd" > </script> Please note that the issue has already been discussed in public: - https://twitter.com/SecurityMB/status/883641714296193024 - https://jsbin.com/kayesofuto/edit?html,output What is the expected behavior? What went wrong? The prevention should detect "<script" string even if it is within a duplicated attribute. Did this work before? N/A Chrome version: 59.0.3071.115 Channel: stable OS Version: OS X 10.12.5 Flash Version:
,
Jul 10 2017
,
Jul 10 2017
Removing view restrictions for now, as the issue is already public.
,
Jul 10 2017
Assign to mkwst@chromium.org based on his reply on twitter.
,
Jul 11 2017
Dropping this to `Low`, it requires folks to already have an injection on a page directly before a nonced `<script>` element. I'll see what I need to do to get this fixed; I think the root cause is that we end up throwing away duplicate attributes in the HTML parser, which means I probably need to move the processing elsewhere.
,
Sep 19 2017
,
Nov 10 2017
,
Nov 30 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/f2e953cf9384199344e12d54658565a7e5ecde2e commit f2e953cf9384199344e12d54658565a7e5ecde2e Author: Mike West <mkwst@chromium.org> Date: Thu Nov 30 12:54:10 2017 CSP: Block nonces for elements with duplicate attributes. We throw away duplicate attributes when converting an `HTMLToken` into an `AtomicHTMLToken` for use in `HTMLConstructionSite` (this matches the specced behavior at [1]). That, unfortunately, means that the checks at [2] are more or less impotent. This patch adds a `NodeFlag` which records whether the element was constructed with duplicate attributes, and treats those elements as non-nonceable. It also adds some counters; perhaps it's possible to be more aggressive about the existing behavior for repeated attributes, as it surprised me. [1]: https://html.spec.whatwg.org/#attribute-name-state [2]: https://w3c.github.io/webappsec-csp/#is-element-nonceable Bug: 740615 Cq-Include-Trybots: master.tryserver.chromium.linux:linux_layout_tests_slimming_paint_v2 Change-Id: I515753885167ac4acd7d0008e6aa81ce9f6f61cf Reviewed-on: https://chromium-review.googlesource.com/566822 Commit-Queue: Mike West <mkwst@chromium.org> Reviewed-by: Hiroshige Hayashizaki <hiroshige@chromium.org> Reviewed-by: Jochen Eisinger <jochen@chromium.org> Cr-Commit-Position: refs/heads/master@{#520522} [add] https://crrev.com/f2e953cf9384199344e12d54658565a7e5ecde2e/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/nonce-enforce-blocked.html [add] https://crrev.com/f2e953cf9384199344e12d54658565a7e5ecde2e/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/support/nonce-should-be-blocked.js [delete] https://crrev.com/4e197153a40aa5b298784c6132cac985d42a471e/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/nonces/script-enforce-blocked.php [modify] https://crrev.com/f2e953cf9384199344e12d54658565a7e5ecde2e/third_party/WebKit/Source/core/dom/MockScriptElementBase.h [modify] https://crrev.com/f2e953cf9384199344e12d54658565a7e5ecde2e/third_party/WebKit/Source/core/dom/Node.h [modify] https://crrev.com/f2e953cf9384199344e12d54658565a7e5ecde2e/third_party/WebKit/Source/core/dom/ScriptElementBase.h [modify] https://crrev.com/f2e953cf9384199344e12d54658565a7e5ecde2e/third_party/WebKit/Source/core/dom/ScriptLoader.cpp [modify] https://crrev.com/f2e953cf9384199344e12d54658565a7e5ecde2e/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp [modify] https://crrev.com/f2e953cf9384199344e12d54658565a7e5ecde2e/third_party/WebKit/Source/core/html/HTMLScriptElement.h [modify] https://crrev.com/f2e953cf9384199344e12d54658565a7e5ecde2e/third_party/WebKit/Source/core/html/parser/AtomicHTMLToken.h [modify] https://crrev.com/f2e953cf9384199344e12d54658565a7e5ecde2e/third_party/WebKit/Source/core/html/parser/HTMLConstructionSite.cpp [modify] https://crrev.com/f2e953cf9384199344e12d54658565a7e5ecde2e/third_party/WebKit/Source/core/svg/SVGScriptElement.h [modify] https://crrev.com/f2e953cf9384199344e12d54658565a7e5ecde2e/third_party/WebKit/public/platform/web_feature.mojom [modify] https://crrev.com/f2e953cf9384199344e12d54658565a7e5ecde2e/tools/metrics/histograms/enums.xml
,
Feb 14 2018
This looks "Fixed" per #8.
,
Feb 19 2018
,
Feb 26 2018
I'm afraid the VRP panel declined to reward for this bug. Thanks for the report! |
||||||||||
►
Sign in to add a comment |
||||||||||
Comment 1 by mic...@bentkowski.info
, Jul 10 2017